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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 


of access? 
xX Yes 
No 
Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


x Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 Does the draft guidance contain enough examples? 


Yes 
xX No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Further examples around the exemptions would be helpful. Especially around 
‘negotiations’ and how this can and can't be used in relation to employment records 
(disciplinaries etc.). 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


We would welcome more detail on how to define ‘manifestly unfounded or excessive’ 
subject access requests. 

We have previously received requests from parents or foster carers who only want their 
own information from within a substantial sized social care files (or sometimes multiple 


social care files), when they are not the main subject. This can be a very time-consuming 
processes to sometimes find a very small amount of information. Is this excessive? 
Also, where subjects have previously not collected information and then ask for more? 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 


Q6 Why have you given this score? 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O 0O U 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


. The guidance reads as though we should be providing a copy or link to the privacy notice 
in every SAR response we provide. But Article 13 (Privacy Notice) paragraph 4 says that 
we don't have to provide a Privacy Notice where the data subject has already had the 
information (a copy of the notice has been previously provided). In reality, it’s no real 
extra work for us to add a copy of the link, but it just contradicts the actual legislation and 
| think it needs clarifying in the guidance. 


. The guidance makes it clear that as a public authority unstructured manual personal data 
does fall within the scope of a SAR, but the request must contain a description of the data 
and, because this has its roots in FOI, we can apply the FOI cost limit of 18 hours and 
refuse to provide it if it will take longer than this to locate, retrieve and extract it. What is 
not clear is whether the cost limit applies to the unstructured data only or to the whole 
request (| would suggest it’s just to the unstructured data) so it would be useful to have 
that clarified. 


. Some clarification regarding school deadlines would be helpful. Our understanding was 
that school holidays are working days and that the ICO think that schools generally have 
some staff working through all/part of the holidays so requests should not be left until 
schools return. However, there are some who think that if the school puts an out of office 
message on to say the school is closed, and no staff at all work during the holiday, that 
this somehow lets them get around the deadline issue. | can see how schools could 
struggle if a request comes in and no-one is working, but there’s nothing in this guidance 
which clarifies this matter. 


. Pg. 13 & 54: Duty of confidence owed to the child / child abuse. Clarity needed when 
request is made by a parent requesting on child’s behalf; under what category we take 
this information out 

a. 3% party or 


b. under exemption. 


. Pg.73 Court docs. Clarity on the second point needed: - “Supplied in a report or evidence 
given to court in the course of proceedings.” Court bundles can include LA everyday 
documents as appendix i.e. contact visit, assessments. Does this mean these types of 
documents are exempt, or is it solely referring to documents that have specifically been 
produced for court i.e. SW court statement? 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Staffordshire County Council 


What sector are you from: 


Public Sector 


Q10 How did you find out about this survey? 


Ol ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 
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Thank you for taking the time to complete the survey. 


